Category: Surveillance & Privacy

The European Union’s top court has handed down a couple of notable rulings today in the arena of data protection. One (Case C-300/21) deals with compensation for breaches of the bloc’s General Data Protection Regulation (GDPR); and the second (Case C-487/21) clarifies the nature of information that individuals exercising GDPR rights to obtain a copy of data held on them…

The U.S. Federal Trade Commission is alleging Facebook “repeatedly violated its privacy promises” and is proposing a “blanket prohibition” on parent company Meta’s monetization of data of users under 18. The company, meanwhile, called the move “a political stunt.” The FTC on Wednesday moved to expand its USD5 billion privacy order with then-Facebook from 2020, claiming the company failed to…

In a class-action lawsuit filed March 16 by an Amazon Go customer, Amazon was accused of not properly notifying its New York Amazon Go store customers that it was tracking and collecting their biometric data.

Amazon Go stores are cashierless stores operated by Amazon, com that allow customers to enter the store, pick up the products they want, and walk out without having to wait in a checkout line or scan their items. The stores use a combination of computer vision, sensor fusion, and deep-learning technologies to detect which products customers take off the shelves and then charge their Amazon accounts accordingly.

According to the lawsuit, Amazon Go collects biometric data “by scanning the palms of some customers to identify them and by applying computer vision, deep learning algorithms, and sensor fusion that measure the shape and size of each customer’s body to identify customers, track where they move in the stores, and determine what they have purchased.”

There is reasonable concern that the biometric data allegedly collected by Amazon might find their way into federal databases, as Amazon also provides server space to the federal government.

E2EE is a widely used technology that protects everyone’s privacy and security by encoding the contents of digital communications and files so that they’re decipherable only by the sender and intended recipients. Not even the provider of the E2EE service can read or hear its users’ conversations. E2EE is built in by default to popular apps such as WhatsApp, iMessage, FaceTime, and Signal, thereby securing billions of people’s messages and calls for free. Default E2EE is also set to expand to Meta’s Messenger app and Instagram direct messages later this year. 

E2EE’s growing ubiquity seems like a clear win for personal privacy, security, and safety, as well as national security and the economy. And yet E2EE’s popularity has its critics – including, unfortunately, Sen. Durbin. Because it’s harder for providers and law enforcement to detect malicious activity in encrypted environments than unencrypted ones (albeit not impossible, as I’ll discuss), law enforcement officials and lawmakers often demonize E2EE. But E2EE is a vital protection against crime and abuse, because it helps to protect people (children included) from the harms that happen when their personal information and private conversations fall into the wrong hands: data breaches, hacking, cybercrime, snooping by hostile foreign governments, stalkers and domestic abusers, and so on.

That’s why it’s so important that national policy promote rather than dissuade the use of E2EE – and why it’s so disappointing that STOP CSAM has turned out to be just the opposite: yet another misguided effort by lawmakers in the name of online safety that would only make us all less safe. 

First, STOP CSAM’s new criminal and civil liability provisions could be used to hold E2EE services liable for CSAM and other child sex offenses that happen in encrypted environments. Second, the reporting requirements look like a sneaky attempt to tee up future legislation to ban E2EE outright.

The U.S. government has sounded the alarm about a critical software vulnerability found in genomics giant Illumina’s DNA sequencing devices, which hackers can exploit to modify or steal patients’ sensitive medical data.

In separate advisories released on Thursday, U.S. cybersecurity agency CISA and the U.S. Food and Drug Administration warned that the security flaw — tracked as CVE-2023-1968 with the maximum vulnerability severity rating of 10 out of 10 — allows hackers to remotely access an affected device over the internet without needing a password. If exploited, the bug could allow hackers to compromise devices to produce incorrect or altered results, or none at all.

BRUSSELS – Companies deploying generative artificial intelligence (AI) tools, such as ChatGPT, will have to disclose any copyrighted material used to develop their systems, according to an early European Union agreement that could pave the way for the world’s first comprehensive laws governing the technology.

The European Commission began drafting the AI Act nearly two years ago to regulate the emerging technology, which underwent a boom in investment and popularity following the release of OpenAI’s ChatGPT.

Members of the European Parliament agreed to push the draft through to the next stage, the trilogue, during which EU lawmakers and member states will thrash out the final details of the bill.

Under the proposals, AI tools will be classified according to their perceived risk level: From minimal through to limited, high, and unacceptable.

Hackers have stolen email addresses, direct messages, and other personal data from users of two dating websites, according to a data breach expert.

Earlier this week, someone alerted Troy Hunt, the founder and maintainer of the data breach alerting website Have I Been Pwned, that hackers had breached two dating websites, CityJerks and TruckerSucker. Hunt told TechCrunch that he analyzed the stolen data and found usernames, email addresses, passwords, profile pictures, sexual orientation, users’ date of birth, their city and state, their IP addresses, and biographies. The stolen passwords are scrambled with a weak algorithm that could potentially be broken and allow hackers to see the actual passwords.”

Senator Brian Schatz is one of the more thoughtful Senators we have, and he and his staff have actually spent time talking to lots of experts in trying to craft bills regarding the internet. Unfortunately, it still seems like he still falls under the seductive sway of this or that moral panic, so when the bills actually come out, they’re…

A filing with the U.S. Securities and Exchange Commission shows Meta is preparing for a stop on its EU-U.S. data flows and a EU General Data Protection Regulation fine. The company’s Q1 2023 earnings report explained to investors the impacts of the imminent final decision from Ireland’s Data Protection Commission on the legality of its EU-U.S. transfers.
The DPC order, expected to be formally published by 12 May, could force a halt to Facebook’s EU operations if adequacy for the DPF is not granted before the order takes effect. Additionally, Meta is planning for a potentially steep monetary fine and corrective measures from the DPC after recommendations from the European Data Protection Board.
“We expect the Irish Data Protection Commission to issue a decision in May in its previously disclosed inquiry relating to transatlantic data transfers of Facebook EU/EEA user data, including a suspension order for such transfers and a fine,” Meta explained in its report.
IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, said the expected stop transfers order and any yet-to-be-announced corrective measures could prove more meaningful than even a record penalty, noting curtailed data flows and subsequent change in data-driven business model “could have even larger financial implications for Meta and thousands of other companies.”
A new data transfer mechanism to replace the EU-U.S. Privacy Shield Framework remains the top solution for Meta’s transfer woes.
The timeline for finalization of a new mechanism remains undetermined as the European Commission works toward a final adequacy decision with the U.S. under the proposed EU-U.S. Data Privacy Framework. European Commissioner for Justice Didier Reynders previously indicated the DPF could be finalized as early as July, which could be just in time if the order includes a three-month implementation window, as some previous orders have.
“Our ongoing consultations with policymakers on both sides of the Atlantic continue to indicate that the proposed new EU-U.S. Data Privacy Framework will be fully implemented before the deadline for suspension of such transfers, but we cannot exclude the possibility that it will not be completed in time,” Meta wrote. “We will also evaluate whether and to what extent the (DPC) decision could otherwise impact our data processing operations even after a new data privacy framework is in force.”  
In the wider scope of the looming order, Fennessy said, “This could lead EU businesses to demand data localization from U.S. business partners or to switch to domestic alternatives. Such shifts could well outlast the adequacy process. Privacy professionals across sectors should prepare their CEOs and boards for significant data transfer disruptions in the months to come.”
Case origins
In July 2020, the Court of Justice of the European Union invalidated Privacy Shield and cast a shadow over the use of standard contractual clauses in what’s commonly known as the “Schrems II” decision. In the wake of the CJEU decision, the DPC initiated an “own volition” inquiry under Ireland’s Data Protection Act to consider whether Facebook’s data transfers to the U.S. were legal.
Meta’s legal challenges to the DPC’s inquiry were denied by the High Court of Ireland in May 2021. That paved the way for the DPC to reach its draft decision to halt Meta from transferring personal data from the EU to the U.S. through its use of standard contractual clauses. The draft decision was sent to EU data protection authorities July 2022.
Meta responded by claiming its Facebook and Instagram operations in the EU may be shuttered pending the final decision and the timeline for a Privacy Shield replacement.
Delivery of the decision to DPAs triggered two EU General Data Protection Regulation-mandated processes concerning the European Data Protection Board. The EDPB first took up an Article 60 process that provided DPAs a month to deliberate, comment, or express “relevant or reasoned objection,” on the DPC’s draft decision. Objections were made, forcing an Article 65 dispute resolution among board members.
The EDPB’s binding Article 65 decision issued 13 April resolved data protection authorities’ differences on “whether an administrative fine and/or an additional order to bring processing into compliance must be included in the Irish DPA’s final decision.”
The DPC has one month to adopt its final decision based on the EDPB’s opinion and legal analysis. Irish Data Protection Commissioner Helen Dixon recently said she expects the final decision to be published no later than 12 May.

The wave of U.S. comprehensive state privacy legislation that few ever thought would materialize in a calendar year has revealed itself. Comprehensive bills in Montana and Tennessee cleared their respective state legislatures 21 April — the first same-day passage for two state privacy bills — to join Indiana and Iowa among states to reach the finish line this year.

Both bills, which now await enactment pending governor’s signature, carry likeness to existing state privacy laws with some originality.

Montana Senate Bill 384 aligns exclusively with the Connecticut Data Privacy Act after surprise amendments during the cross-chamber process. Tennessee’s bill brings the most unique provisions, including enforcement that hinges on adoption of the U.S. National Institute of Standards and Technology’s Privacy Framework.

The U.S. allegedly eavesdropped on private conversations between United Nations Secretary General António Guterres and other U.N. officials, according to documents obtained by the Washington Post. The classified documents highlight conversations that Guterres had with top U.N. officials and world leaders, including one about how he was angry that he was not allowed to visit the Tigray region of Ethiopia,…

Defendants Are New York City Residents Who Allegedly Operated the Police Station in Lower Manhattan and Destroyed Evidence When Confronted by the FBI A complaint was unsealed today in federal court in Brooklyn, New York, charging two defendants in connection with opening and operating an illegal overseas police station, located in lower Manhattan, New York, for a provincial branch of…

Various treaties and multi-national proposals to combat cybercrime have been around for years. I’m not exaggerating. These have been floating around for more than a decade. (Do you want to feel old? This cybercrime treaty proposal would be old enough to legally obtain a social media account in the United States if it were still viable.)

The UN has been pushing its own version. But its idea of “crime” seems off-base, especially when it’s dealing with a conglomerate of countries with varying free speech protections. The “Cybercrime Treaty” proposed by the UN focuses on things many would consider ugly, distasteful, abhorrent, or even enraging. But it’s not things most people consider to be the sort of “crimes” a unified world front should be addressing — not when there’s plenty of financially or personally damaging cybercrime being performed on the regular.

One of the most notorious privacy-breaching tech companies in operation, Clearview AI, has, according to its CEO, scraped 30 billion social media photos, packaged and curated them, and passed them along to the surveillance state authorities to do with what they will (in the dark, with no oversight, naturally, as the Founders warned such authorities would if left unchecked). Clearview’s…

When Member of Parliament Kenny Chiu was contacted by the Canadian Security Intelligence Service (CSIS) ahead of Canada’s federal election in 2021, he was puzzled. He had never expected to be part of a CSIS investigation, let alone one that required an in-person talk at the height of Canada’s COVID-19 pandemic. “At that time, everything had moved online, so it was…

In a preliminary victory in the continuing fight against privacy-invasive software that “watches” students taking tests remotely, a French administrative court outside Paris suspended a university’s use of the e-proctoring platform TestWe, which monitors students through facial recognition and algorithmic analysis.

TestWe software, much like Proctorio, Examsoft, and other proctoring apps we’ve called out for intrusive monitoring of exam takers, constantly tracks students’ eye movements and their surroundings using video and sound analysis. The court in Montreuil, France, ruled that such “permanent surveillance of bodies and sounds” is unreasonable and excessive for the purpose preventing cheating.